This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ivan_Moore
Contributor
‎2018-08-27 04:17 PM

Is there a way to do a policy verify and get a full list of verification errors?

By default the verify process only returns ~20'sh verify errors.  Is there a way to get it to return everything?  

14 Replies
Danny
Champion Champion
Champion
‎2018-08-27 06:29 PM

There is definitely a way depending on the version you are using. Which is it?

R80.10 has a Management API which offers policy verification.

Example:

mgmt_cli verify-policy policy-package "standard" --version 1.1 --format json‍
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2018-08-27 06:45 PM
In response to Danny

Yes, there is a way to verify policy with mgmt_cli, but does that give ALL errors as Ivan asked. Haven't tested it with a policy with lots of verification errors.

0 Kudos
Danny
Champion Champion
Champion
‎2018-08-27 07:05 PM
In response to Lari_Luoma

You are Check Point's lead consultant in Seattle. Tell us.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2018-08-27 07:09 PM
In response to Danny

I'm not an SE and not in Finland. The Lead part was correct. 🙂 I though you had tested it and that's why I asked. As I said I don't have a management in my lab with a lot of verification errors to test right now.

0 Kudos
Danny
Champion Champion
Champion
‎2018-08-27 07:15 PM
In response to Lari_Luoma

Corrected. I know one can put the SmartCenter into debug mode (sk44338) and see all verification errors under $FWDIR/log but I hoped Ivan would respond more swift to know which version he uses and figure out the next relevant steps.

Ivan_Moore
Contributor
‎2018-08-27 09:14 PM
In response to Danny

I am not sure what API version, but the api call you reference returns the same results as running it via SmartConsole.   

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2018-08-27 09:40 PM
In response to Ivan_Moore

This is my understanding as well that API should always return the same output as SmartConsole.

Jason_Rakers
Participant
‎2018-12-03 07:40 AM
In response to Danny

performing the verify-policy from Postman with web-session API call the only response I receive is a task-id.  I need to then look at the task-id to see the results of the verification.

Tomer_Sole
Mentor
Mentor
‎2018-08-27 09:39 PM

Currently we tried to balance verification errors performance with detail. So often times we "fail fast" rather than give a full list of errors that can take a while. So this thread is a good feedback.

Please note that with R80 and above, some of the things that used to fail at the "verify policy" process are now instant and live as the users make the change, blocking them from publishing the change.

Ivan_Moore
Contributor
‎2018-08-27 09:45 PM
In response to Tomer_Sole

I totally get failing fast.  It makes sense.  It would be quite useful to have a option/flag/something that could be passed to have the process not fail fast and provide everything.  

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-28 04:46 PM
In response to Tomer_Sole

Which of course doesn't help if there was a bug in the policy validation logic previously Smiley Happy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-28 03:26 AM

I would suggest the procedure(s) from sk44338 How to debug Policy Verification.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Tomer_Sole
Mentor
Mentor
‎2018-08-28 04:09 AM
In response to G_W_Albrecht

adding verbose logs will not increase the amount of verification checks....

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-28 04:19 AM
In response to Tomer_Sole

Yes, that is a pity!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events